The purpose of this guide is to explain the basic concepts and provide general procedures and commands to deploy Cisco® Catalyst® 3850 Switches. It does not provide detailed information about these commands.

This guide is for networking professionals who are responsible for designing, implementing, or administering a network that includes a standalone Cisco Catalyst 3850 Switch or a Cisco Catalyst 3850 Switch stack, referred to as the switch. Readers of this guide are expected to have prior experience working with the Cisco IOS® Software and familiarity with the concepts and terminology of local area networking, wireless local area networking, and Layer 2 and Layer 3 switching.

The next-generation Cisco Catalyst 3850 Switch meets the current and future demands of enterprise access-layer networks. As these networks incorporate ever more technologies, they must be secure, scalable, and resilient. The Cisco Catalyst 3850 Switch offers operational simplicity, scalability, and superb performance. The new Cisco StackWise-480 stack architecture delivers the industry’s best-in-class stack bandwidth and resiliency.

The Cisco Catalyst 3850 Switch (similar to the Cisco Catalyst 3750-X Switch) has two console ports: a USB mini console port in the front and an RJ45 console port in the rear. You can use either port (but not both) for input. However, both ports always display the switch output.

The USB console port has a configurable inactivity timer that automatically disables the port after a specified period from 1 to 240 minutes. Use this command to configure the inactivity timeout interval:

Cisco Catalyst 3850 Switches shipped to customers from manufacturing boot up in install mode. The Cisco Catalyst 3850 Switch is booted in install mode using a package provisioning file packages.conf. Do not modify this file.

In this example, the Cisco Catalyst 3850 Switch is configured to autoboot from the built-in flash memory:

Switch# show boot

---------------------------

Switch 1

---------------------------

Current Boot Variables:

BOOT variable does not exist

Boot Variables on next reload:

BOOT variable = flash:packages.conf

Allow Dev Key = yes

Manual Boot = no

Enable Break = no

The show version command output displays the Cisco Catalyst 3850 Switch mode of operation:

Switch# show version | begin Switch Ports

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ----

* 1 32 WS-C3850-24U 03.07.00.E cat3k_caa-universalk9 INSTALL

Configuration register is 0x102

The packages and the provisioning file reside in the flash.

Note: Booting in install mode from a USB flash drive or using Trivial File Transfer Protocol (TFTP) is not supported.

Booting a Cisco Catalyst 3850 Switch in bundle mode is just like booting a monolithic Cisco IOS Software image on a Cisco Catalyst 3750-X Switch.

This command boots the switch in bundle mode:

switch: boot flash:cat3k_caa-universalk9.SPA.03.07.00.E.152-3.E.bin

Reading full image into memory...........................................................................................................................................................................................................................................................................................................done

Bundle Image

<Output Truncated>

Note: Booting the switch in bundle mode consumes more memory than booting in install mode because the packages are extracted from the bundle and copied to the RAM.

You can boot the switch in bundle mode from the built-in flash memory, an external USB drive (usbflash0), or TFTP. Bundle mode is used to boot a Cisco Catalyst 3850 Switch from the boot loader prompt.

The software rollback command allows you to revert to an earlier Cisco IOS XE Software package after a software install. Software rollback is functional only when at least one rollback package with the file name packages.conf.00- is present. The rollback file is created automatically during the Cisco Catalyst 3850 Switch Cisco IOS XE Software image update process.

This example shows the flash directory of a switch with an available rollback package:

Switch# dir flash:

Directory of flash:/

38738 -rw- 856 Apr 14 2015 21:06:25 +00:00 vlan.dat

12 -rw- 1248 Jul 7 2014 07:07:46 +00:00 packages.conf.00-

<Output Truncated>

To revert to an earlier software image, use the software rollback command with the rollback package name:

The Cisco Catalyst 3850 Switch shipped from manufacturing is configured to autoboot Cisco IOS XE Software from the built-in flash and display the autoconfiguration dialog. In special circumstances a boot loader upgrade might be necessary for a Cisco IOS XE Software image upgrade.

These are the steps to upgrade a Cisco Catalyst 3850 Switch boot loader image:

The Cisco IOS XE Software image for the Cisco Catalyst 3850 Switch is distributed as a bundle image. You cannot copy this bundle directly to the flash and then boot the switch. You must install the Cisco IOS XE Software bundle into the flash and then boot the switch from the installed software using the install mode. Perform this procedure if the Cisco IOS XE Software image that resides in the flash memory becomes corrupted.

Use the ping command to confirm TFTP connectivity from the boot loader prompt:

●The RTU license is purchased along with the Cisco Catalyst 3850 Switch (or separately) and is NOT tied to the unique device identifier (product ID + serial number) of a switch.

●When you purchase a switch, the license you specified in the purchase order is preinstalled.

●To upgrade the license, you can order an upgrade license and receive an electronic or printed license. After accepting the end-user license agreement (EULA), you enable the upgrade by using a simple CLI command.

●To transfer RTU licenses from one switch to another, deactivate the license on one switch and activate it on another.

This is a paid license that does not expire. You can activate permanent RTU licenses after you accept the EULA. The EULA assumes you have purchased the permanent license. There are two types of permanent RTU licenses:

●Image-based (or feature set) license

●Adder AP-Count license

Image-based license: This license is activated by Cisco before the switch is shipped and requires no customer configuration to enable it. Supported license levels include LAN Base, IP Base, and IP Services.

You can upgrade, disable, or move image-based licenses by using the license right-to-use command, either for individual switches or for all switches in a stack. Reload the switch or stack to activate the highest level license. For example, if you upgrade the license level from IP Base to IP Services, then the IP services license is activated by reloading the switch.

This command enables the ipservices license and accepts the EULA on all switches in the stack:

Adder AP-Count license: The adder AP-Count license is an “add as you grow” license. You can add access point licenses as your network grows. You activate an adder AP-count license by using EXEC commands, and it is activated without a switch reload.

This example shows the license summary display for a switch with an activated adder AP-Count license:

In a Cisco Catalyst 3850 Switch stack, all switches must be at the same image-based license (IP Services/IP Base/LAN Base) level. The active switch license level is considered the reference, and the member switch licenses are compared to it. If there is a mismatch, the active switch displays a syslog message saying that the stack configuration was unsuccessful.

This is an example of the display on the active switch console:

%STACKMGR-1-STACK_LINK_CHANGE: Stack port 1 on switch 2 is up

Switch 2 has a license mismatch with the stack. Only on activating a compatible license will the switch join the stack.

Switch# show switch

Switch/Stack Mac Address : 00e1.6d52.c600 - Local Mac Address

Mac persistency wait time: Indefinite

H/W Current

Switch# Role Mac Address Priority Version State

--------------------------------------------------------------------

*1 Active 00e1.6d52.c600 15 V03 Ready

2 Member 44ad.d96d.b480 1 0 Lic-Mismatch

3 Member 0000.0000.0000 0 0 Provisioned

This message appears on the member switch console:

Switch# show license right-to-use mismatch

Slot# License Name Adder AP Count Base AP Count

----------------------------------------------------------

2 ipbase 50 0

Switch# show license right-to-use summary

License Name Type Count Period left

-----------------------------------------------

ipservices permanent N/A Lifetime

apcount base 0 Lifetime

apcount adder 0 Lifetime

--------------------------------------------

License Level In Use: ipservices

License Level on Reboot: ipservices

Evaluation AP-Count: Disabled

Total AP Count Licenses: 0

AP Count Licenses In-use: 0

AP Count Licenses Remaining: 0

To enable the member switch to join the stack, change the license level of the member switch (switch 2) by activating the license from the active switch console:

AP-Count license is available only with IP Base and IP Services licenses. A Cisco Catalyst 3850 Switch stack can support a maximum of 50 access points. An AP-Count license is required only if a Cisco Catalyst 3850 Switch is configured as both a mobility controller and a mobility agent. An AP-Count license is not needed if the Cisco Catalyst 3850 Switch is configured only as an mobility agent, which is the default configuration.

The total AP-Count license of a Cisco Catalyst 3850 Switch stack is equal to the sum of all the individual member AP-Count licenses, up to a maximum of 50 AP-Counts. The total AP-Count license of the stack is affected when stack members are added or removed:

●When new members are added to the stack, the total AP-Count license of the stack is automatically recalculated.

●When members are removed from the stack, the AP-Count license contributed by the removed switch is decremented from the total available AP-Count license in the stack.

●If more AP-Counts are connected than the available AP-Count license, a syslog warning message indicates this fact without disconnecting the excess connected AP-Counts until a stack reload.

●After the stack reload, the surplus AP-Count s are removed from the total AP-Count. The following examples explain the process.

Stack member addition example: A Cisco Catalyst 3850 Switch stack includes 3 switches, each with an AP-Count license that allows 10 AP-Counts, for a total of 30 supported AP-Counts. When a new Cisco Catalyst 3850 Switch (switch 4) is added to the stack with an AP-Count license allowing 25 AP-Counts, the stack supports a total of 50 AP-Counts because the total number of 55 access points (30+25) exceeds the stack limit.

Stack member removal example: In the preceding example, if switch 4 is removed from the stack, the AP-Count license remains at 50 AP-Counts until the stack is reloaded, if 50 AP-Counts are connected and active in the stack. After reload, the stack returns to its original value of 30 AP-Counts.

When the AP-Count for a stack exceeds 50, a syslog message appears in the active and member switches to indicate the excess AP-Count:

%SMN_HBL_LICENSE-1-EXCESS_AP_LIC: Total AP Count Licenses available have exceeded the Maximum supported AP Count by 60

Switch# show license right-to-use summary

License Name Type Count Period left

-----------------------------------------------

ipservices permanent N/A Lifetime

apcount base 0 Lifetime

apcount adder 110 Lifetime

--------------------------------------------

License Level In Use: ipservices

License Level on Reboot: ipservices

Evaluation AP-Count: Disabled

Total AP Count Licenses: 50

AP Count Licenses In-use: 0

AP Count Licenses Remaining: 50

By default the Cisco Catalyst 3850 Switch stack is configured as a mobility agent. In the wireless licensing model, a mobility agent is the access point count enforcement point. A mobility controller is the access point count management point. A Cisco Catalyst 3850 Switch stack can be configured as either a mobility controller or a mobility agent, or both, depending on the deployment requirement.

Figure 3 shows a typical licensing protocol interaction between an AP-Count, a mobility agent, and a mobility controller:

Figure 3. Licensing Protocol Call Flow

In a large deployment, a Cisco Catalyst 3850 Switch stack is the mobility agent, and a 5760 wireless controller is the mobility controller. In a split mobility agent-mobility controller deployment, the AP-Count is managed at the mobility controller level.

You can easily migrate RTU licenses between Cisco Catalyst 3850 Switches. Both image-based and AP-Count licenses can be deactivated from one switch and activated on another switch. To deactivate a license, use the license right-to-use deactivate EXEC command. To activate a license, use the license right-to-use activate EXEC command.

An evaluation license allows you to evaluate any license for 90 days free of charge. To activate an evaluation license, accept the EULA. The evaluation license EULA assumes that you will purchase a permanent license within 90 days; if you do not purchase a permanent license, the evaluation license is deactivated after 90 days. You receive a syslog message warning about deactivation 10 days before the evaluation license expires and another message 5 days before expiration. After the 90-day period expires, syslog messages appear every day until you reload the switch:

Note: You can activate a 90-day evaluation license only once on each Cisco Catalyst 3850 Switch. After the 90 days have expired, you cannot activate another 90-day evaluation license on the same switch.

The license usage record is maintained in the Cisco Catalyst 3850 Switch or switch stack for individual switches. The usage information is maintained from the initial boot and across reloads and includes the status of the EULA, in-use condition, and type of license. Deactivating a license resets the EULA status. The license information is updated daily for active in-use licenses and can be displayed by using the show license right-to-use usage command:

●License usage of the active licenses is updated once daily in the license detail file. The license right-to-use activate and license right-to-use deactivate commands also update the license detail file.

●A checksum is maintained and verified to prevent any tampering with the license files.

●Following activation, a license remains activated during reloads and image upgrades and downgrades.

●Erasing the configuration does not affect the license file because it is hidden in the flash.

●If the license file in the primary partition is corrupted or tampered with, the license file from the backup partition is used.

●If both the partitions are corrupted, Cisco can recreate the license files using the factory default files.

The new StackWise-480 architecture allows you to build a high-speed stack ring with superior features and services scalability compared with StackWise Plus. The initial software version supports physically stacking up to four Cisco Catalyst 3850 Switches to form a stack ring. To accommodate varying port density requirements, the hardware can support both 48- and 24-port switches in a single stack ring. The Cisco Catalyst 3850 Switch deployed in stack mode is designed to deliver deterministic nonblocking switching performance to as many as 208 ports, including both wired and wireless network devices. The Cisco Catalyst 3850 Switch delivers uncompromised hardware-accelerated, rich integrated borderless network services and enterprise-class system resiliency. (See Figures 4 and 5).

Figure 4. Cisco Catalyst 3850 StackWise-480 Switch Stack Front View

Figure 5. Cisco Catalyst 3850 StackWise-480 Switch Stack Rear View

The system architecture of the Cisco Catalyst 3850 Switch is designed to evolve as a solution engine that enables converged access infrastructure and rich integrated technologies with unparalleled application performance. This new Cisco switch delivers the simplified system operation tools that network administrators need to manage increasingly complex and feature-rich networks.

Cisco StackWise-480 provides a robust distributed forwarding architecture through each stack member switch and a unified, fully centralized control and management plane to simplify operation in a large-scale network design. One switch in a stack ring is elected to be the active switch. The active switch controls the management plane of the entire stack from both the network and user perspective. Figure 6 illustrates the physical versus logical view of a system in stack configuration mode.

The system roles in the new resilient StackWise-480 architecture can be verified using the show switch EXEC command. The network administrator can check the current state of each member switch in the stack ring and identify the switch that is in hot-standby mode. The hot-standby switch assumes the active role when it detects a failure of the primary active switch.

This example shows the output of the show switch command used to display the switch roles in a configuration:

Stack architecture allows network expansion when additional ports are required in the wiring closet. The hardware and software architecture of the Cisco Catalyst 3850 Switch allows you to insert new Cisco Catalyst 3850 Switches in a stack ring without major network disruption. The system and management operation, network configuration, and topologies remain transparent to the network, providing nonstop business communication during the upgrade.

This example shows the output of the show switch stack-ports summary command:

The Cisco IOS XE Software high-availability framework is enabled by default on Cisco Catalyst 3850 Switches when they are deployed in StackWise-480 mode. The newly provisioned Cisco Catalyst 3850 Switch automatically discovers and dynamically joins the stack ring. The Cisco StackWise-480 technology features system-level N:1 high availability. Adding switches to and removing switches from a stack do not affect the active and hot standby roles already in effect in the stack.

To enable stateful switchover (SSO) resiliency in Cisco StackWise-480 mode, you must configure each switch with the same Cisco IOS XE Software version and license. Figure 7 illustrates system roles and operation of Cisco StackWise-480 when you add Cisco Catalyst 3850 Switches to a stack.

The unique high-availability architecture in the Cisco StackWise-480 design enables distributed network services, such as flexible NetFlow, quality of service (QoS), and more, as well as providing system-level redundancy for all stack-member switches. During a complete stack reload, all switches participate in an election process to determine assignment of the active and standby roles. Several criteria, including switch priority and MAC addresses, are compared to elect the active and standby switches in the stack.

To view information about switches in the stack (model, serial number etc), you can use show module command:

Switch# show module

Switch Ports Model Serial No. MAC address Hw Ver. Sw Ver.

------ ----- ----- ----------- ----------- ------ --------

1 32 WS-C3850-24S FOC1852U0NR c472.954f.5380 V01 03.07.00.E

2 56 WS-C3850-48P FOC1717V0NH 44ad.d96d.b480 V01 03.07.00.E

3 32 WS-C3850-24P FOC1824X086 00e1.6d52.c600 V03 03.07.00.E

4 32 WS-C3850-24U FOC1729Z182 f84f.576f.e100 V01 03.07.00.E

To assign the active and standby roles to specific switches, configure the default switch priority for all switches in the stack. You configure the priority once, usually during the initial configuration process, but you can change the configuration at any time. The configured switch priorities are immediately set in the boot loader configuration of each switch in the stack. This means the switch priority configuration cannot be verified from the startup or running configuration because it is programmed into different configuration components. The switch priority configuration in boot loader is parsed during the boot cycle, not read from the startup configuration stored in NVRAM.

To modify the default switch priority, use these EXEC commands:

Switch# switch <number> priority 15

!Set priority 15 to elect switch in ACTIVE role

Switch# switch <number> priority 14

!Set priority 14 to elect switch in STANDBY role

Switch# switch <number> priority 13

!Set priority 13 to elect switch in next STANDBY role

Switch# switch <number> priority 12

!Set priority 13 to elect switch in next STANDBY role

To configure the switch number, use this command:

Switch# switch <number> renumber <number>

!Statically renumber switch in stack ring

This example shows the priority of each switch and its role:

Switch# show switch

Switch/Stack Mac Address : f84f.576f.e100 - Local Mac Address

Mac persistency wait time: Indefinite

H/W Current

Switch# Role Mac Address Priority Version State

--------------------------------------------------------------------

1 Memberc472.954f.5380 12 V01 Ready

2 Standby44ad.d96d.b480 14 V01 Ready

3 Member00e1.6d52.c600 13 V03 Ready

*4 Active f84f.576f.e100 15 V01 Ready

The Cisco Catalyst 3850 Switches support a wide range of Layer 2, Layer 3, and wireless stateful capabilities to provide nonstop network communication. In real time, the Cisco IOS XE Software running on the active switch synchronizes its protocol state machines, software forwarding tables, and system configuration to the Cisco IOS XE Software instance running on the standby switch. The other primary core services hosted by Cisco IOS XE Software are the integrated applications, such as the wireless control module (WCM). In Cisco StackWise-480 mode, the WCM is operational on the active Cisco Catalyst 3850 Switch that communicates with the locally attached Cisco wireless access points (WAPs), wireless clients, and distributed mobility peers to build a roaming network domain. The WCM on the standby switch is in hot-standby state as a Cisco IOS XE Software process. In real time, the active WCM performs the stateful synchronization of wireless protocols and control and provisioning of wireless access points (CAPWAP) tunnel information with the standby switch. If the active switch fails, the standby switch becomes the wireless controller by resynchronizing with the Cisco WAPs and mobility peers.

In the initial software release, the Cisco Catalyst 3850 Switch supports CAPWAP tunnels and Dynamic Transport Layer Security (DTLS), but not high availability for wireless clients. During a switchover, the new active WCM flushes the last-known wireless client and rebuilds the database and forwarding tables. As a result, the wireless client must restart communication with new wireless controller, using the same initial steps (such as 802.1X authentication, Dynamic Host Configuration Protocol [DHCP] request, and so on) to reconnect to the network.

To maximize availability, the SSO capability is enabled by default when Cisco Catalyst 3850 Switches are deployed in Cisco StackWise-480 mode. No user configuration is required to enable SSO capability on a Cisco Catalyst 3850 Switch stack. You can verify that SSO is configured and operational by using the show redundancy state command. This is sample output showing SSO redundancy in a Cisco StackWise-480-based network design:

Switch# show redundancy state

my state = 13 -ACTIVE

peer state = 8 -STANDBY HOT

Mode = Duplex

Unit ID = 4

Redundancy Mode (Operational) = SSO

Redundancy Mode (Configured) = SSO

Redundancy State = SSO

Manual Swact = enabled

Communications = Up

client count = 91

client_notification_TMR = 360000 milliseconds

keep_alive TMR = 9000 milliseconds

keep_alive count = 0

keep_alive threshold = 9

RF debug mask = 0

In stacking mode, the Cisco Catalyst 3850 active switch automatically performs SSO protocol synchronization with the standby switch. By default, the nonstop forwarding (NSF) subsystem in all the switches in a Cisco Catalyst 3850 Switch stack operates in NSF helper mode and supports nonstop data forwarding and graceful recovery during active to standby (Layer 3) switchover. Implementing NSF capability allows the remaining Cisco Catalyst 3850 Switches in the stack to continue forwarding data while the new active switch gracefully recovers the protocol state machines. To enable the graceful restart capability for supported protocols, you must manually enable graceful-restart capability under a routing instance. This sample configuration shows how to enable NSF capability for Enhanced Interior Gateway Routing Protocol (EIGRP):

Cisco Catalyst 3850 switch database manager (SDM) templates allow configuring the hardware resources based on the license level and features enabled in the switch. Two SDM templates are provided in the Cisco Catalyst 3850 Switch:

Advanced: This is the default template for all license levels. The advanced SDM template maximizes system resources for advanced features such as NetFlow, security access control, flow SPAN, multicast groups, and more.

VLAN: This template is available only in the LAN base license level and is enabled when the Cisco Catalyst 3850 Switch is deployed as a Layer 2 switch. Wireless features will not work with this SDM template configuration.

Table 1 details the resource allocation for VLAN and advanced SDM templates. These resource allocations are based on L2 and IPv4 features. Because IPv6 features consume twice the ternary content addressable memory (TCAM) table size of IPv4 table entries, the switch supports half the number of TCAM table entries for IPv6.

Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active.

Reload the switch to activate the SDM template change.

Switch# show sdm prefer

Showing SDM Template Info

This is the VLAN template (high scale) for a typical Layer 2 network.

Number of VLANs: 4094

Unicast MAC addresses: 32768

Overflow Unicast MAC addresses: 512

IGMP and Multicast groups: 8192

Overflow IGMP and Multicast groups: 512

Directly connected routes: 16384

Indirect routes: 7168

Security Access Control Entries: 3072

QoS Access Control Entries: 3072

Policy Based Routing ACEs: 0

Netflow ACEs: 768

Wireless Input Microflow policer ACEs: 0

Wireless Output Microflow policer ACEs: 0

Flow SPAN ACEs: 512

Tunnels: 0

Control Plane Entries: 512

Input Netflow flows: 8192

Output Netflow flows: 16384

SGT/DGT entries: 4096

SGT/DGT Overflow entries: 512

These numbers are typical for L2 and IPv4 features.

Some features such as IPv6, use up double the entry size;

so only half as many entries can be created.

Use the show sdm prefer command to confirm the current SDM template setting after the reload:

Switch# show sdm prefer

Showing SDM Template Info

This is the Advanced (high scale) template.

Number of VLANs: 4094

Unicast MAC addresses: 32768

Overflow Unicast MAC addresses: 512

IGMP and Multicast groups: 8192

Overflow IGMP and Multicast groups: 512

Directly connected routes: 16384

Indirect routes: 7168

Security Access Control Entries: 3072

QoS Access Control Entries: 2816

Policy Based Routing ACEs: 1024

Netflow ACEs: 768

Wireless Input Microflow policer ACEs: 256

Wireless Output Microflow policer ACEs: 256

Flow SPAN ACEs: 512

Tunnels: 256

Control Plane Entries: 512

Input Netflow flows: 8192

Output Netflow flows: 16384

SGT/DGT entries: 4096

SGT/DGT Overflow entries: 512

These numbers are typical for L2 and IPv4 features.

Some features such as IPv6, use up double the entry size;

so only half as many entries can be created.

In a Cisco Catalyst 3850 Switch stack, an SDM template mismatch does NOT matter. As long as the license level matches, SDM mismatches are ignored, and all the stack switches use the active switch SDM template.

SDM template resources are crucial for normal operation of the Cisco Catalyst 3850 Switch. These resources are consumed based on the features/configuration and the traffic profile. Cisco recommends monitoring (for example, with Embedded Event Manager scripts) of TCAM resource utilization.